How to troubleshoot LANDESK Device Control


    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6

    This article details the troubleshooting steps for LANDESK Device Control.

     

     

    LANDESK Device control uses settings defined in .XML files called "behavior files", in the same way that Agent Behavior or Scan and Repair settings use behavior files.

     

    LANDESK Device Control Installation

     

    In order for LANDESK Device Control to be installed on a device, the following must occur.

     

    1. Endpoint Security must be checked as a component in the Agent Configuration - Start - Agent Components to install section.

    AgentComponentSelection.png


    2. The proper Endpoint Security setting must be selected in the Agent Configuration - Security and Compliance - Endpoint Security - Machine Configuration section.

    Endpoint SecurityAgentConfig.jpg


    3. Within the selected Endpoint Security Setting, Device Control must be selected as one of the Security Policies to install.

     

     

    DeviceControlinEndpointSettings.jpg

     


    Note:
    If the Agent was installed without Endpoint Security, Endpoint Security can be installed later by pushing an "Install/Update Security Configurations" task from the Security Configurations Tool "Create a Task" drop-down.

     

    Important Files in LANDESK Device Control


    Files within LDCLIENT\HIPS directory:

              DCM.LOG : Device Control Manager Device Log file
              DCMVOLUMES.LOG : Device Control Manager Volumes Log file
              DCM.XML : Device Control Manager behavior file.


    Files within \Documents And Settings\All Users\Application Data\LDSEC directory (Prior to Windows Vista) or  \ProgramData\LDSEC directory (Vista and later)


              BVD.RPT - File used for display of data within client EPS gui.
              LDSECSVC-DCM-DEBUG.LOG - Debug log for Device Control Manager
              HIPSCLIENTCONFIG-HIPS-debug.log - Log file for HIPSCLIENTCONFIG.EXE
              This program is used when installing Endpoint Security


    Files within \Documents And Settings\All Users\Application Data\Vulscan directory (Prior to Windows Vista) or \ProgramData\Vulscan directory (Vista and later)


              HipsBehavior_(CoreServerName)_ID#.XML - Mainly contains Trusted Location information for HIPS and LANDESK Firewall
              HipsBehavior_(CoreServerName)_ID#.ZIP - .ZIP file containing all Endpoint Security behavior .XML files.
              ActionHistory.(ClientIPAddress).sent.#.xml - Action history sent from client to the core.
              vulscan.log or vulscan.#.log - useful for troubleshooting installation, change settings

              softmon.log - logs ActionHistory activity for actions sent to core by the Softmon process

     


    Important Registry Keys

     

          HKLM\Software\LANDESK\HIPS\

              Settings - Current EPS settings.
              Known Volumes - Volumes that were present at the time of the DCM policy installation.  These should be excluded from the volume policy.

     

    Reset Known volumes


    This will reset the list of volumes that are listed as allowed by EPS.  You would reset a known volume in the instance that you deployed an EPS configuration yet an undesired volume (such as an external USB hard drive) was plugged in at time of install.  This will automatically add this drive to the "known volumes" list, thus it will be allowed even if a volume restriction policy is in the EPS configuration.

     

    • Push out an agent configuration that Allows all volumes.  This will reset the known volumes list.
    • You can then push out the final Agent Configuration with the desired volume restrictions and exceptions.

    -or-

    • From the command prompt type "sc.exe control ldsecsvc 130"

     

    General Troubleshooting steps

    • Are the Device Control Settings on the core server configured correctly for the expected outcome?

      - Check the Device Control Settings in the Security Configurations Tool on the Core Server)
      - Make sure you are looking in the correct group - My, Public or All
      - Make a note of the ID #, Name, and Revision # for the Device Control Setting

    DeviceControlBehaviorSettings.jpg

     

     

    • Do the Device Control Settings match what is listed on the Core Server?


    - Check which Endpoint Security setting is active on the client

        Look in the registry at: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan

                Does the Behavior ID, Name and Revision match the core setting? (If different, run Vulscan /changesettings /showui)

                Within the DCM.XML file in the LDCLIENT\HIPS directory, do the settings match what is expected?

     

    • Examine the log files (DCM.LOG and DCMVOLUMES.LOG in LDCLIENT\HIPS)  (Best way to gather is by turning on debug logging)


            - Do any of the ActionHistory.(ClientIPAddress).ID#.sent.xml files that contains the action expected?


                If not, duplicate the failure again and check the ActionHistory XML files.

    How actions are sent from the Client to the core server

    Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.


    If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
    If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

     

    Items to gather and send to the LANDESK Support technician

     

    1. GetSystemInfo Report
    2. Debug Logs
    3. Exported Security Configuration Settings
    4. If issue is a blue screen, gather a Kernel Mode Memory dump

     

    Instructions for gathering this information follows:

     

    Gather a GetSystemInfo report

         The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.

    For Windows Workstation/Server

    GetSystemInfo 6.0


    1. Run GetSystemInfo.exe on the computers with the problem.
    2. Click the button Create report in the right part of the main window.
    3. Wait until the utility has completely scanned the system.
    4. Click OK to confirm the creation of a report.

     

    A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.

    Attach this report to your created case, or e-mail it to your LANDESK Support technician.

     

    How to enable debug logging in LDMS 9.6 SP2

     

    1. Open the Endpoint Security GUI by clicking on the EPS system tray icon.
    2. Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icons) to reveal the Extended Menu   1-newsettings.png
    3. Click Enable debug mode
      2-enable.png
    4. While Debugging is enabled, the Extended menu will show this:
      3-extendedmenu_while_enabled.png
    5. After reproducing the issue, click the Drop-down Menu using LSHIFT and LCTRL and choose Generate debug logsThe debug logs will be saved to your Desktop as eps-logs.zip
      4-saved.png
          The eps-logs.zip file will contain the required information to send to support for troubleshooting.

    6. Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.

     

    The following steps must be taken when gathering Endpoint Security debug logs for LDMS 9.5:

     

    1. On the affected client right-click the Endpoint Security system tray icon and select "Open"

    2. In the LANDESK Endpoint Security window, click on the "Options" button in the top right, it looks like a wrench and screwdriver crossing.

    3. In the Options window, click on the "Troubleshooting Logs: Disabled" link at the bottom of the window. It will switch to "Troubleshooting Logs: Enabled"

    4. Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.

    5. Go to the Options window and click on the "Troubleshooting Logs: Enabled" link, it will switch back to "Disabled" and you will see a script run that automatically copies all the needed troubleshooting logs to the desktop into the "Logs.cab" and "Logs.def" files.

     

    This will compile the following files and place them in a "Logs.cab" on the desktop.

    Windows 2000/XP/2003:
         C:\Documents and Settings\All Users\Application Data\LDSec\*.*, C:\Documents and Settings\All Users\Application  Data\Vulscan\ActionHistory*.xml

    Windows 7 and higher:
         C:\ProgramData\LDSec*.*, C:\ProgramData\vulscan\ActionHistory*.xml, LDClient\HIPS\*.log, *.xml, *.def, *.idx

     

    If the problem is a Blue Screen, collect a Kernel Memory Dump


    1. Right-click "My computer" and choose "Properties"

    2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"

    3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".

    4. Make note of the path that the MEMORY.DMP file will be saved to.
    5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.

    Summary of items gathered


    The following is the list of files to be supplied to the Support Technician:

     

    GetSystemInfo_Computername_Username_Date_time.zip

        From GetSystemInfo

    Logs.cab

        From "Gather Debug Logs"

     

    Endpoint Security Settings ##.ldms

        From exporting the Endpoint Security Setting, this filename will differ based on what you have named the setting.

     

    Device Control Setting ##.ldms

        From exporting the Device Control Setting
        (Note, this filename will differ based on what you have named the setting)


    MEMORY.DMP
        If issue was a bluescreen and you have gathered a Kernel memory dump

    MEMORY.DMP will likely be too large to attach to an e-mail.
    If this is the case, name your .ZIP file of MEMORY.DMP to "LANDESK Case # Memory Dump.zip" and upload to ftp://ftp.landesk.com/incoming